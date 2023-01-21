Google released OSV-Scanner, an open source vulnerability (Open Source Vulnerability, OSV) database front-end interface. The OSV database is a decentralized open source database that stores vulnerability information in the OSV format. OSV-Scanner evaluates a project’s dependencies based on the OSV database and displays all vulnerabilities associated with the project.

When scanning a project, OSV-Scanner first determines all dependencies in use by analyzing manifests, software bills of materials (SBOMs) and code commit hashes. This information is used to query the OSV database and report project-related vulnerabilities. Vulnerabilities are reported in tabular or JSON-based OSV format (optional).

The OSV format provides a machine-readable JSON schema for representing vulnerability information. This format is used to enforce versioning conventions consistent with the naming and scheme used in actual open source packages. According to Oliver Chang, a senior Google engineer, and Russ Cox, a Google distinguished engineer, this approach “can be used to characterize vulnerabilities in any open source ecosystem without relying on the logic of the ecosystem to handle them.”

"schema_version": "1.3.0", "id": "GHSA-c3g4-w6cv-6v7h", "modified": "2022-04-01T13:56:42Z", "published": "2022-04-01T13:56:42Z", "aliases": [ "CVE-2022-27651" ], "summary": "Non-empty default inheritable capabilities for linux container in Buildah", "details": "A bug was found in Buildah where containers were created ...", "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/containers/buildah" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.25.0" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/containers/buildah/commit/..." }, { "type": "PACKAGE", "url": "https://github.com/containers/buildah" } ] }

Use the command osv-scanner -r /path/to/your/dir to scan the directory and find the lockfiles, SBOM and git directories. Option -r is used for recursive scanning. Currently supports SPDX and CycloneDX SBOM using Package URL, and also supports multiple lock files, including yarn.lock, composer.lock, go.mod and Gemfile.lock.

OSV-Scanner can also be used to scan installed packages in Debian mirrors for vulnerabilities: $ osv-scanner –docker image_name:latest. This requires docker to be installed, and currently does not scan the filesystem of docker containers. More details about this preview feature can be found in the GitHub Issue.

OSV-Scanner can be configured to ignore vulnerabilities based on the vulnerability ID, optionally providing an expiration date and reason for the ignore. Vulnerabilities to ignore are specified via the IgnoreVulns key.

[[IgnoredVulns]] id = "GO-2022-0968" # ignoreUntil = 2022-11-09 reason = "No ssh servers are connected to or hosted in Go lang"

OSV-Scanner is also integrated into the vulnerability detection of OpensSSF Scorecard. Scorecard is an automated security tool for identifying risky supply chains in open source projects. Because of the integration of OSV-Scanner, Scorecard’s capabilities have been extended to scan for vulnerabilities in the project itself and in project dependencies.

Google software engineer Rex Pan shared some details of the OSV-Scanner follow-up. The team intends to provide a separate CI operation so that it can be further integrated into the workflow. Pan said they hope to improve support for C and C++ by “adding precise commit-level metadata to CVE to build a high-quality C/C++ vulnerability database.”

OSV-Scanner is licensed based on Apache License 2.0, and the code is hosted on GitHub. More details about this project can be found in the published article.

